T1053.002: At
Adversaries may abuse the at utility to perform task scheduling for initial or recurring execution of malicious code. The at utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of Scheduled Task's schtasks in Windows environments, using at requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group.
On Linux and macOS, at may be invoked by the superuser as well as any users added to the at.allow
file. If the at.allow
file does not exist, the at.deny
file is checked. Every username not listed in at.deny
is allowed to invoke at. If the at.deny
exists and is empty, global use of at is permitted. If neither file exists (which is often the baseline) only the superuser is allowed to use at.
Adversaries may use at to execute programs at system startup or on a scheduled basis for Persistence. at can also be abused to conduct remote Execution as part of Lateral Movement and/or to run a process under the context of a specified account (such as SYSTEM).
In Linux environments, adversaries may also abuse at to break out of restricted environments by using a task to spawn an interactive system shell or to run system commands. Similarly, at may also be used for Privilege Escalation if the binary is allowed to run as superuser via sudo
.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
mitre_attck_lateral_movement: PT-CR-211: Remote_Code_Execution_Via_AtSvc: Remote creation of a Windows scheduled task with AtSvc
mitre_attck_lateral_movement: PT-CR-2330: Subrule_Task_Created_via_Atsvc: A Windows scheduled task was created with AtSvc
hacking_tools: PT-CR-2332: Atexec_Activity: The AtExec tool designed to run commands using scheduled Windows tasks was used
unix_mitre_attck_persistence: PT-CR-1669: Unix_At_Job_Modify: A task was created with an AT command
Detection
ID | DS0022 | Data source and component | File: File Modification | Description | On Windows, monitor Windows Task Scheduler stores in |
---|
ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor executed commands and arguments for actions that could be taken to create/modify tasks. Tasks may also be created through Windows system management tools such as Windows Management Instrumentation and PowerShell, so additional logging may need to be configured to gather the appropriate data. |
---|
ID | DS0003 | Data source and component | Scheduled Job: Scheduled Job Creation | Description | Monitor for newly constructed scheduled jobs. If scheduled tasks are not used for persistence, then the adversary is likely to remove the task when the action is complete. On Windows, enable the "Microsoft-Windows-TaskScheduler/Operational" setting within the event logging service where several events will then be logged on scheduled task activity, including:
Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current scheduled tasks. |
---|
ID | DS0029 | Data source and component | Network Traffic: Network Traffic Flow | Description | Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. When AT.exe is used to remotely schedule tasks, Windows uses named pipes over SMB to communicate with the API on the remote machine. After authentication over SMB, the Named Pipe This pipe activity could be discovered with a network decoder, such as that in wireshark, that can inspect SMB traffic to identify the use of pipes. It could also be detected by looking for raw packet capture streams or from a custom sensor on the host that hooks the appropriate API functions. If no network or API level of visibility is possible, this traffic may inferred by looking at SMB connections over 445/tcp followed by the creation of files matching the pattern
|
---|
ID | DS0009 | Data source and component | Process: Process Creation | Description | Monitor for newly constructed processes with command-lines that create/modify or are executed from tasks. For example, on Windows tasks may spawn from Analytic 1 - Scheduled Task
|
---|
Mitigation
ID | M1026 | Name | Privileged Account Management | Description | Configure the Increase Scheduling Priority option to only allow the Administrators group the rights to schedule a priority process. This can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Increase scheduling priority. |
---|
ID | M1028 | Name | Operating System Configuration | Description | Configure settings for scheduled tasks to force tasks to run under the context of the authenticated account instead of allowing them to run as SYSTEM. The associated Registry key is located at |
---|
ID | M1047 | Name | Audit | Description | Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for permission weaknesses in scheduled tasks that could be used to escalate privileges. Windows operating system also creates a registry key specifically associated with the creation of a scheduled task on the destination host at: Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\At1. In Linux and macOS environments, scheduled tasks using |
---|
ID | M1018 | Name | User Account Management | Description | Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create scheduled tasks on remote systems. In Linux environments, users account-level access to |
---|